{"title":"企业风险管理:企业如何整合网络风险?","authors":"Sasha Romanosky, Elizabeth Petrun-Sayers","doi":"10.1108/mrr-10-2021-0774","DOIUrl":null,"url":null,"abstract":"\nPurpose\nThe purpose of this study is to examine how companies integrate cyber risk into their enterprise risk management practices. Data breaches have become commonplace, with thousands occurring each year, and some costing hundreds of millions of dollars. Consequently, cyber risk has become one of the gravest risks facing organizations, and has attracted boardroom-level attention. On the other hand, companies already manage many kinds of difficult and growing risks, and that firms lose less than 1% of annual revenues as a result of cyber incidents. Therefore, how should firms appropriately address cyber risk? Is it indeed a materially different kind of risk area, or is it simply just one more risk that can seamlessly be integrated into existing enterprise risk management (ERM) practices?\n\n\nDesign/methodology/approach\nThe authors performed thematic analysis based on semi-structured interviews, with non-probabilistic, purposive sampling, to answer two main questions. First, how do firms manage enterprise risks, generally? And second, how are they integrating cyber risk into these existing processes?\n\n\nFindings\nThe authors find that there is considerable variation in the approach and sophistication in ERM practices, such as whether they are driven more like an auditing function, or as a risk champion. The authors also find that despite the novelty of cyber risk, it can be integrated like other enterprise risks, and that cyber risk is most often seen as an operational risk (similar to workplace accidents or fraud), rather than a strategic risk, emerging from, for example, technology innovation and R&D.\n\n\nResearch limitations/implications\nThe generalization of the results is limited by the sample size and variation of firms interviewed. While the authors attempted to interview enterprise risk managers across a wide variation of firms, there were clear limitations in the scope. That being said, the authors were fortunate to be able to examine ERM and cyber risk practices across small and large, private and publicly traded companies, from a variety of business sectors.\n\n\nPractical implications\nThe authors believe these finding are important because they present evidence that while cyber risk may be new, it does not require specialized handling or processes to track it at the enterprise level. While some firms may choose to provide special accommodations or attention because of their data collection or business practices, this approach is neither necessary nor required of all firms in all situations.\n\n\nOriginality/value\nThis research is one of the only papers that, to the best of the authors’ knowledge, examines how cyber risk is integrated at an enterprise level.\n","PeriodicalId":47769,"journal":{"name":"Management Research Review","volume":" ","pages":""},"PeriodicalIF":3.1000,"publicationDate":"2023-05-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Enterprise risk management: how do firms integrate cyber risk?\",\"authors\":\"Sasha Romanosky, Elizabeth Petrun-Sayers\",\"doi\":\"10.1108/mrr-10-2021-0774\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"\\nPurpose\\nThe purpose of this study is to examine how companies integrate cyber risk into their enterprise risk management practices. Data breaches have become commonplace, with thousands occurring each year, and some costing hundreds of millions of dollars. Consequently, cyber risk has become one of the gravest risks facing organizations, and has attracted boardroom-level attention. On the other hand, companies already manage many kinds of difficult and growing risks, and that firms lose less than 1% of annual revenues as a result of cyber incidents. Therefore, how should firms appropriately address cyber risk? Is it indeed a materially different kind of risk area, or is it simply just one more risk that can seamlessly be integrated into existing enterprise risk management (ERM) practices?\\n\\n\\nDesign/methodology/approach\\nThe authors performed thematic analysis based on semi-structured interviews, with non-probabilistic, purposive sampling, to answer two main questions. First, how do firms manage enterprise risks, generally? And second, how are they integrating cyber risk into these existing processes?\\n\\n\\nFindings\\nThe authors find that there is considerable variation in the approach and sophistication in ERM practices, such as whether they are driven more like an auditing function, or as a risk champion. The authors also find that despite the novelty of cyber risk, it can be integrated like other enterprise risks, and that cyber risk is most often seen as an operational risk (similar to workplace accidents or fraud), rather than a strategic risk, emerging from, for example, technology innovation and R&D.\\n\\n\\nResearch limitations/implications\\nThe generalization of the results is limited by the sample size and variation of firms interviewed. While the authors attempted to interview enterprise risk managers across a wide variation of firms, there were clear limitations in the scope. That being said, the authors were fortunate to be able to examine ERM and cyber risk practices across small and large, private and publicly traded companies, from a variety of business sectors.\\n\\n\\nPractical implications\\nThe authors believe these finding are important because they present evidence that while cyber risk may be new, it does not require specialized handling or processes to track it at the enterprise level. While some firms may choose to provide special accommodations or attention because of their data collection or business practices, this approach is neither necessary nor required of all firms in all situations.\\n\\n\\nOriginality/value\\nThis research is one of the only papers that, to the best of the authors’ knowledge, examines how cyber risk is integrated at an enterprise level.\\n\",\"PeriodicalId\":47769,\"journal\":{\"name\":\"Management Research Review\",\"volume\":\" \",\"pages\":\"\"},\"PeriodicalIF\":3.1000,\"publicationDate\":\"2023-05-26\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Management Research Review\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1108/mrr-10-2021-0774\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"MANAGEMENT\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Management Research Review","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1108/mrr-10-2021-0774","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"MANAGEMENT","Score":null,"Total":0}
Enterprise risk management: how do firms integrate cyber risk?
Purpose
The purpose of this study is to examine how companies integrate cyber risk into their enterprise risk management practices. Data breaches have become commonplace, with thousands occurring each year, and some costing hundreds of millions of dollars. Consequently, cyber risk has become one of the gravest risks facing organizations, and has attracted boardroom-level attention. On the other hand, companies already manage many kinds of difficult and growing risks, and that firms lose less than 1% of annual revenues as a result of cyber incidents. Therefore, how should firms appropriately address cyber risk? Is it indeed a materially different kind of risk area, or is it simply just one more risk that can seamlessly be integrated into existing enterprise risk management (ERM) practices?
Design/methodology/approach
The authors performed thematic analysis based on semi-structured interviews, with non-probabilistic, purposive sampling, to answer two main questions. First, how do firms manage enterprise risks, generally? And second, how are they integrating cyber risk into these existing processes?
Findings
The authors find that there is considerable variation in the approach and sophistication in ERM practices, such as whether they are driven more like an auditing function, or as a risk champion. The authors also find that despite the novelty of cyber risk, it can be integrated like other enterprise risks, and that cyber risk is most often seen as an operational risk (similar to workplace accidents or fraud), rather than a strategic risk, emerging from, for example, technology innovation and R&D.
Research limitations/implications
The generalization of the results is limited by the sample size and variation of firms interviewed. While the authors attempted to interview enterprise risk managers across a wide variation of firms, there were clear limitations in the scope. That being said, the authors were fortunate to be able to examine ERM and cyber risk practices across small and large, private and publicly traded companies, from a variety of business sectors.
Practical implications
The authors believe these finding are important because they present evidence that while cyber risk may be new, it does not require specialized handling or processes to track it at the enterprise level. While some firms may choose to provide special accommodations or attention because of their data collection or business practices, this approach is neither necessary nor required of all firms in all situations.
Originality/value
This research is one of the only papers that, to the best of the authors’ knowledge, examines how cyber risk is integrated at an enterprise level.
期刊介绍:
Management Research Review publishes a wide variety of articles outlining the latest management research. We emphasize management implication from multiple disciplines. We welcome high quality empirical and theoretical studies, literature reviews, and articles with important tactical implications. Published 12 times a year, the journal prides itself on quick publication of the very latest research in general management. The key issues featured include: Business Ethics and Sustainability Corporate Finance Entrepreneurship and Small Business Management Industrial Relations Information and Knowledge Management International Business Human Resource Management Organizational Theory and Behaviour Production and Operations Management Strategic Management and Leadership
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
